Hi everyone, thanks for the interest, Thimbl is not ready for public release, we are still working on it, so you'll have to patient. Regading why we use SSH: Because it is already available on your servers and is a standard, thus there is no barrier to getting started. Don't want to share "your" ssh password with some random website? No problem, how you implement access to your finger .plan files is up to you, create a special server with ssh service just for your .plan files, don't want to give your users shell accounts? creat a shell-less ssh service using something like conch or zope, etc whatever! Still not happy? Clone thimbl.net and run your own web interface! The point of using established standards is that everyone can do it there way. Thanks for the comments. With thimbl and thibl user can use any thimbl.net clone, and it make no difference.
BTW, if you want to be notified when there is more to see, follow us on twitter @thimbl (or me @dmytri) (or identi.ca or friendfeed) or join our facebook page http://facebook.com/telekommunisten
Thanks Hacker News! Nice to see this pop up here, even if I wouldn't have posted it here just yet ;)
I like the idea. I'm still an old wort who uses usenet, irc, and email for most of my communications. I might still be using finger too if most hosts hadn't turned it off. Turns out finger was quite the security risk. If that has changed then I could see myself using it again.
As long as we can get a better peek into their implementation... I am curious, like others, why they're not using public key authorization, etc.
* I have to trust thimbl.net and/or you that you aren't storing anything.
* Even if you released your codebase on github (or similar) there is no guarantee (to outside users) that it is the same one that you are running on your servers.
* Your site is not https, meaning that my ssh password is going plain-text over the internet.
* Even if your site is 100% not doing anything funny, there is the possibility for someone else to sniff the passwords flowing through your site.
When using publickey auth method, you don't have to provide anything (except for, obviously, username and hostname), you have to temporarily trust thimbl.net's key. I.e:, the process is:
1. thimbl.net provides its public key.
2. You add it to ~/.ssh/authorized_keys (or whatever your SSH server uses).
3. ...
4. That's it (remove key if you don't trust thimbl anymore or thimbl may even remove it by itself, at the end of setup process).
That would give us access to the users account at any time. It seems requiring their password be sent with every request is more secure (over https, of course)
The thing that you are failing to realize is that it's easier to lock down access using a public key than a password. You can specify the amount of access an incoming ssh connection has based on the public key. You can't do that w/ a password.
I could have multiple keys, all w/ different access levels, all on the same user account. There is no way to do this with a password, other than to just have separate user accounts.
will be through an http to finger+ssh gateway initially, but ssh+finger directly in the browser is the longer term goal. cat to your .plan wont work, thimbl stores json in the .plan, however we will add support for cat > .project, but not in the first release.
It could just be me, but it seems that the sort of users who know and understand finger and SSH are not the sort of users who want to use a micro blogging service.
Understanding finger and ssh will not be required to use thimbl, only to set up thimbl service for your users, which we imagine will be the same people who set up the email and web for there domain: the sysops. Wether the sysops microblog or not is irrelevant ;)
I thought about this before (P2P communication similar to Twitter), but not via ssh. Why not just dedicate an incoming port (configurable) per group that you want to associate with?
- As soon as you started the connection, it would try to connect to all group members via their ports. If the group list is old, or if some are offline, maybe some/all wouldn't work.
- Whoever has the fastest response time, if their group list is newer than the existing group list, the client requests an updated group list from (just in-case it is out of date). If no one is online, obviously this doesn't happen. The user of the client trying to update must ok the changes to the group list (to keep someone from gaming the system). You could also specify who to get the grouplist from.
- At this point the client must be ok'd by the others if his IP/port has never been accepted into the group before.
- If accepted, at this point the client is flagged as someone who has a group list to share.
- At this point the client can communicate with others in the list, and if you want it to be microblogging or just IM'ing, anything goes, depending on the client.
I'm not clear what's ultimately different here from running your own blog on your own server and offering feeds.
That it resurrects finger? ...So?
Of course, that's the problem - there isn't really anything here to talk about, just some 90s Wired magazine fodder of a slideshow and a plea for community help.
Yes, all that there is at this stage is a slide show. (all projects start somewhere). More will come soon very soon (mammatus is already finished and release, the ui is getting there) There is no plea for community help (though of course help is always welcome) it is a plea for sysops to turn their finger service on so their users can use thimbl, and an offer to help where help is needed. As for the difference between a decentralized microblogging service and a bunch of blogs with fees... we'll leave that as an excersise for the reader. Interesting that you bother to post a comment when you believe there is nothing to talk about, but thanks for the feedback in anycase.
From your slideshow: "THIMBL will succeed with a community. join us and help make a free, open social network"
"and a bunch of blogs with fees"
What "fees" for running free blogging software on my server?
"Interesting that you bother to post a comment"
It's called having an opinion. If you can't deal with skepticism after publishing PR material without having anything more substantive handy, rethink your strategy.
You can have whatever opinion you want, my opinion is that is curious to post opinions on things you think are not worth talking about. If you don't get that, well, we have different opinions then. I meant 'feeds' not fees. sorry. we didn't publish anything, I just shared a link to a text I wrote on my own twitter account (not even @thimbl), somebody else posted it here. We have never claimed to have anything more substantive handy at this stage, when we do, which will be soon, we will post that. Every project starts somewhere. Not sure where you see a "plea for help" in what you quote it is an invitation, we want people who are interested in using thimbl to know they are welcome to contact us, and if they need any help, that we will help. Thanks for the comments.
I think it is very curious when someone builds a website and a slideshow to promote something, then claims he isn't publishing anything. Or when that person feels the need to misrepresent another who makes any sort of criticism.
First hint: I at no time said that I found this "not worth talking about". Those are words you tried to put in my mouth to distract from my noting that there's not much here to go on.
Second hint: People say "community, come help us succeed" in order to blame the lack of community help when they go nowhere.
He Semiapies, I'm really not sure why you think a project can't start with a website and a slideshow to try to explain what it is, or wether you are suggesting that we should only ever put anything on our website when we are done. Or what. No need to distract that there is not much here, there is not much here, I said so myself. In terms of criticism, and blame, again, I'm really not sure what you are talking about, we have no need to blame anyone for anything, and we're very much interested in criticism, I simply can't understand what yours is. That we should keep our slide show secret until the system is ready for launch? Well, as I said, I have a different opinion and prefer to be open. Whatever.
Hmm. There's a lot of hyperbole, and very little description of how it actually works. And no, I'm not about to give a random website my ssh password :P
Anyone care to enlighten me further as to how it works?
But if we wrote a Thimbl user information update server and asked you to run that on your own server, you would do that and consider our service as secure as sshd? Really? Our position is that you give as a standard remote login interface, that is ssh, how you implement that for your own finger users is up to you (see my other comment)
There are ways of locking down an incoming ssh connection to scp-only, you can even filter the files it has access to. I looked into this once, but never implemented it b/c we went elsewhere with the project.
Note: This is by making the handling script the thing that runs for a certain ssh key, I don't think it works with a password though.
Excatly! There are many ways to set up secure ssh access. Which is why a solid, know protocol like ssh is the right one to use for remote login, because it provides many options and all sysops can configure access for their own users as they see fit, yet all users, on all systems can still follow each other.
Seems like a neat idea, but the retina-burning color scheme is a bit much.
(For anyone working on the site that might be reading this, there's a "where" that should be a "were" and an "it's" that should be "its" in the first paragraph; I stopped reading there.)
which part? in order to be followed by thimbl, all you need is ssh and xinetd/finger running. That's it. If you want to clone the thimbl http to finger&ssh gateway, the current implementation uses twisted / mammatus. If you want to run the UI, it's just static html/css/js that does jsonp calls to the gateway. more details will be posted in the next few days.
